In May of 2021, hackers shut down the Colonial Pipeline with ransomware. But what many people don't realize is that this wasn't a sophisticated cyber attack. In fact, the hackers responsible gained access with a compromised password.
Passwords are the key to everything we hold dear. They're the last line of defense between hackers and our bank accounts, social media, and more. And given that hackers have stolen over 15 billion passwords, "password123" is not enough.
You need password best practices. Using the same easy password for multiple accounts is going to get you into a lot of trouble. Question is, how do you keep your passwords strong and safe?
National Cybersecurity Month is here, and to celebrate; we're going back to the basics. In this episode of cybersecurity 101, we're talking about password best practices. Stick around as we discuss everything you need to know.
How Secure Are Passwords?
Passwords have a long history in cybersecurity. But it's 2023, and security experts have been warning for years of their inherent vulnerabilities. Hackers have perfected their ability to steal passwords after decades of social engineering and brute-force dictionary attacks.
It's hard to even know where to begin with the problems passwords present. It's not just that they're often easy to guess or provide access to whoever knows them. It's that companies often store them in plain text or use unsalted hashes.
People are lax when it comes to passwords. We ignore the advice to change passwords on a regular basis. News of a password breach doesn't even get us to blink an eye.
In addition to this, passwords are an inherently flawed design. They're a small string of code that computers can crack given enough time.
People make very little effort to protect their passwords. They're easy to steal, too. Hackers can record keystrokes, look over someone's shoulder, or study the reflection in their glasses.
A Future Without Passwords
Passwords may be soon on their way out the door. The writing is already on the wall. Companies like Microsoft no longer use passwords internally and offer users the same option.
Some alternatives like SQRL have come and gone, but security experts haven't given up. Apple and other companies are making the push toward passkeys. These allow for secure, effortless login.
Biometric authentication is already the norm for unlocking many mobile devices. These are much stronger methods than passwords since hackers cannot easily spoof them.
Hackers will adapt to hack these things one day. But so far, the future is looking bright in terms of security and convenience. That future, however, is still a long way off.
Password Best Practices: What You Can Do to Strengthen Your Passwords
Passwords are here to stay until future alternatives become mainstream. That means it's in your best interest to have strong passwords now. If hackers can compromise an oil pipeline, they can and will compromise your organization's network.
Fortunately, passwords don't have to be a weak login authentication method. In fact, there is a lot you can do to make them virtually impervious. All it takes is a bit more effort and care.
Let's discuss some of the things you can do to strengthen your passwords.
1. Use Long Passwords
It pays to understand how hackers get passwords in the first place. Their tactics boil down to three main methods:
- They use a brute force attack, trying all potential password combinations until they gain access
- They steal the password, usually due to poor password storing methods
- They obtain the password through social engineering, such as with a phishing email
Even if you never respond to phishing emails and your company uses salted hashes, a computer can always guess your password. Easy passwords don't take any time at all to guess.
If your password is 8 characters or less, a hacker can guess it in less than 8 hours. Any shorter than that, and a hacker could guess it nearly instantly.
On the flip side, a password that's 18 characters long could take up to 438 trillion years for a computer to guess. This is because for every character you add, the complexity of the password increases exponentially. Hackers don't waste their time trying to guess long passwords.
2. Use Strong Passwords
Length isn't the only thing to keep in mind. If your password is "ILikeDonutsBecauseTheyreGood," that's still an easy password to guess. Brute force dictionary attacks, as the name implies, use known words to guess a password.
To make a password strong, you need to use a combination. This combination should include letters, numbers, and special characters. The password "%[WX)5#x/(3[&MGB3&OZPqlqE34Ws]Vy" would take trillions of years to guess.
The above password is a lot stronger because these characters are in random order. It's easy to guess the character "dog" because these will appear in a brute force dictionary. The characters "j(>", on the other hand, appear much less often, making them stronger.
Don't try to make up these passwords on your own. Use a password generator. You can tweak how long you want it to be and what types of characters it includes.
3. Use a Password Manager
One look at the password above, and you might have spotted a problem. If your password is "%WX)5#x/(3[&MGB3&OZPqlqE34Ws]Vy" then it will take an awfully long time to type it in.
Get one character wrong, and you have to start over. Get it wrong too many times, and you risk locking yourself out of your account.
Further, it would be impossible to remember it. You'd need to write it down. If you're thinking that that's a terrible password protection strategy, you're right.
If you're wondering how to protect passwords, look no further than a password manager. It's one of many essential tools for your organization's cybersecurity.
A password manager is an encrypted vault where you store all your passwords. You no longer have to memorize passwords, especially complicated ones.
To unlock the vault, you'll need a single master password. That password, of course, will need to be very strong.
Password managers often include useful features, such as strong password generators. They may check to see if your password was stolen on the dark web. They may even remind you when it's time to change your passwords.
4. Use Two-Factor Authentication on Your Accounts
Two-factor authentication (2FA) adds an extra layer of security to passwords. In order to gain access to your account, you need to provide a temporary code. This code comes in the form of an SMS or an OTP (one-time password) 6-digit code.
With SMS, you receive a code through your phone number. You usually have to enter this code within a specified time frame.
With OTP, you download an app such as Google Authenticator. This requires some additional setup where you'll scan a QR code. Then, your phone will generate 6-digit OTP codes every 30 seconds.
This makes it virtually impossible for a hacker to gain access to your account. That said, not all 2FA is equal.
An SMS is inherently weaker than an OTP code. This is because hackers can spoof your mobile device and receive the code in your name. That allows them to gain access without your knowledge.
Of course, any 2FA is better than none. But if you have the option to use OTP, you should choose it over SMS.
It's essential to use OTP 2FA on your password manager. Otherwise, hackers can gain access to all your passwords. Failure to use 2FA could lead to a very bad day for you.
|Related Reading: Cybersecurity 101: How to Use Multi-Factor Authentication|
5. Use Different Passwords for Different Accounts
What gets people in trouble isn't just that they use weak passwords. It's that they use the same password on all their accounts. Their business email is secured by the same password they use for a questionable site with lax security.
This is often how hackers compromise your accounts. They don't know all your passwords, but they do know one of them. They then try that one password everywhere and see where it gives them access.
Thanks to your new password manager, this won't be an issue anymore. You can generate a unique password for every account with ease.
6. Use Stronger Passwords for Critical Accounts
You should use long, strong passwords for any and all accounts. Your password manager makes this easy to do. However, changing critical passwords is of the utmost importance.
Password limits are different from website to website. Some will require you to use at least one uppercase letter, one number, and one symbol. Others won't require that instead restricting password length to less than 12 characters.
You should try to use the longest passwords possible. Some websites will allow up to 128 characters. Check the password limits on critical accounts and change to the longest passwords that they allow.
7. Change Passwords on a Regular Basis
The FBI has recorded a 300% increase in cyber attacks since the pandemic. The verdict is clear: hackers are tireless, and they've only accelerated their work. Breaches are happening every day, and those breaches result in massive password leaks.
The debate on how often you should change your passwords is ongoing. Some recommend doing so every three months. Others say you should only change your password after a known breach.
Whatever the case, the general consensus is to change your passwords on a regular basis. Once a year is an acceptable amount of time. This is a good preventative measure since you never know when someone will steal your passwords.
8. Use a Darkweb Breach Monitor
It takes an average of a year to identify that a breach happened. It takes even more time for a company to report a breach and take appropriate action. That means there's a long period of time when no one but the hackers knows that a breach happened.
Hackers often sell stolen passwords straight to the dark web. They upload them in bulk files, allowing others to filter through them for worthwhile accounts. Before a company is even aware of a breach, hackers set to work.
Luckily, there are online services that monitor the dark web. They find out when these breaches happen and scan the stolen passwords. If they find one of yours, they'll report it to you.
A dark web breach monitor is a much better solution than waiting for a company to report. Breaches often involve liability and litigation. Companies aren't in a hurry to reveal that they've suffered a breach.
9. Educate Your Employees
Security is only as strong as your weakest link. An employee who doesn't practice any of the above is a liability to your company's overall security posture. Small IT teams have a lot on their plate, and educating employees is one such responsibility.
It doesn't take much to educate. Teaching employees the value of the above principles should only take a few training sessions. The end result is stronger security for your organization as a whole.
9. Use MDR Security
As we've said earlier, the password is not an elegant cybersecurity solution. It suffers from common cyber threats despite being the bulwark protecting our accounts.
Until we usher passwords out the door for good, there are solutions to make up for their deficiencies. One of these is MDR security. MDR (managed detection and response) is an exhaustive umbrella solution for any enterprise setup.
MDR combines trained AI and automation to provide tailored protection for your organization. It's more than a mere set of filter rules and virus sandboxes. MDR hunts down potential vulnerabilities and strengthens your security as a whole.
Weak passwords could be just the beginning of your system's vulnerabilities. Use MDR to help provide full-scale visibility in order to assess your network's resilience.
Use MDR in Tandem With Strong Passwords
Passwords are the last line of defense between hackers and your precious data. Despite that fact, passwords are problematic in a number of ways. Password best practices include using strong passwords, a password manager, 2FA, and much more.
While passwords might not be the best security solution, there are other ways to secure your network. MDR is an excellent solution for protecting what matters most.
That's why you need BitLyft. Check out our pricing options today and make the upgrade to the most formidable security there is.